Third-Party Risk Series: Vendor Email Compromise

John Aziz
January 29, 2020


Last year we saw a lot of focus on Third-Party Risk and how companies could work towards mitigating that threat. Our Security Practice Director, Saaim Khan, produced this executive summary – Navigating Third Party Information Security Risks, which looked at the risk from a Governance, Risk and Compliance perspective. But in this blog series, we’ll be taking a look at some of the specific ways attackers are exploiting third party risk and breaking down the attack vector, identifying how organisations can protect themselves against the threat.

In our first post, we’ll be looking at the breakout term of 2019, Vendor Email Compromise (VEC), and Infotrust’s Senior Security Engineer, John Aziz explains more below.


Vendor Email Compromise is a term that has been coined in 2019. As you’ve probably guessed it’s closely aligned to Business Email Compromise (BEC), where an attacker usually spoofs a senior level individual within a business and sends an email to one of their coworkers asking for an urgent request such as a payment or sharing sensitive information. The classic example of this being the CEO to CFO attack, cybercriminal pretends to be CEO requesting an urgent payment from CFO to a supplier. CFO obliges as they want to do a good job and later finds out that it wasn’t in fact the CEO and they’ve transferred money to a cyberattacker’s bank account.

VEC is the same technique but the attacker focuses on known suppliers or third parties that the victim organisation uses or partners with. This requires a large amount of time and resources to undertake research and get the level of detail required to enact the attack successfully. This reconnaissance will typically take place after the initial intrusion attack, which could be a phishing email that an employee has unknowingly fallen victim to and given the attacker access to their email.

Once the attacker is inside a staff member’s account they are then able to create forwarding rules and gather further intel into their email behaviour with the third party; dates payments are due, typical requests and billing practices. After enough information has been gathered the attacker will then insert themselves into the correspondence, sending a fake invoice but at the correct time with the right information, other than the fact the bank details have changed.


The reason this new attack type is so terrifying is that it’s working, and very well. Cybercriminals are able to become super detailed with their invoices and timing, which makes it very difficult for the end-user to detect there’s an issue. Our partner, Agari’s Cyber Intelligence Division (ACID) released a report last year which looked at a cybercriminal gang in Nigeria that had been undertaking these attacks with great success. From their research they identified that the Silent Starling gang had between 8 – 10 people working for them, operating at least since 2018 and targeting about 500 businesses in the space of a year.

To read the full Silent Starling report from ACID click here.

In another example found by ACID at the start of 2020, a group named Ancient Tortoise was observed to be impersonating CFOs requesting a copy of an updated aging report, as well as the contact information for each of customer’s accounts payable contacts. Once the Ancient Tortoise gang had obtained this intel, the attackers would then leverage the information to contact the customer’s accounts payable departments given in the aging report requesting payment for the invoices referenced within the report.

Find out more about the Ancient Tortoise gang here.


Many vendors are now touting VEC as the biggest security challenge for 2020 and beyond. The key vulnerability these types of attacks exploit are your organisation’s end-users, relying on the fact that your employees are wanting to work effectively and efficiently.

Therefore, security awareness training should be a key component for all businesses’ security strategy. Ensuring that new employees are trained to spot a potentially malicious email and consistently updating your training resources to highlight new emerging threats is imperative.

Furthermore, making sure there are stringent processes in place for employees to follow when carrying out payments or sensitive information requests, and they are being followed is key.

Employing next-generation impersonation controls is also advised. Most Secure Email Gateways will offer this functionality within their solutions and these controls can go some way to help mitigate the threat of fraudulent emails making their way to your employees’ inboxes.

Infotrust would also advise looking at specialised technologies that have been created to deal with these types of sophisticated attacks specifically. Agari’s Phishing Defense solution is built to help organisations trust their inbox, by working to stop identity deception attacks. By utilising data science, trust analytics and machine-learning the Phishing Defense solution is able to model what is “trusted” behaviour within the business.

Watch out for the next post in the Third-Party Risk series coming next week!